I think the letter copied below explains the situation better than I can repeat it here, but during a recent interaction with UPMC Health Systems, I was surprised to find a lack of good security practice. How many more security breaches or information leaks need to happen before somebody starts auditing these systems for security issues?

Edward McCallister
UPMC Health Systems
200 Lothrop Street
Forbes Tower, Suite 10072
Pittsburgh, PA 15213

Dear Mr. McCallister,

I’m writing you as an information security professional because, during a recent interaction with your organization, I encountered behavior that could possibly lead to a breach of confidentiality.

Recently, I had trouble logging into the “MyHealth” portal to complete the necessary steps to receive my “Health Reward” offered through the University of Pittsburgh (where I work) and UPMC. I called the help desk, and was told that my account was locked. The operator (who was very nice, by the way) then confirmed my password with me. By confirming my password, I mean she read what I had originally entered as a password back to me over the telephone.

What is troubling is that she (or anybody) has access to my plain text password. This is not standard industry procedure. In this circumstance, operators can typically reset passwords to something known; the end-user is then usually forced to change passwords upon login. My point is that telephone operators (and anybody else) cannot see what the password is currently set to. This type of handling of passwords is even reflected in many operating systems’ password entry fields; the fields show asterisks instead of the actual characters as you type into them.

What makes this particular problem worth your attention? Passwords are usually authentication tokens tied to individual people; only I know my password. Administrators, for instance, may have access to my data under their own “administrator” credentials (accesses that are probably logged with their username for auditing purposes), but with the system as you currently have it set up, anybody can pose as what the system thinks is (and therefore logs as) “me”. It would be impossible for anybody to prove who “me” really was; it could be anyone that knows (or can find out) my password—me, any telephone operator or a system administrator.

What makes this even more dangerous? If a malicious individual were to gain access to your database, he or she could potentially have a list of plain text passwords. This would make it trivial for them to login using any of the compromised credentials, without the difficulty of having to “crack” a hashed password.

I take the confidentiality of my health information seriously and, as a steward of health information, I’m sure UPMC does, too. Part of enterprise security processes (and auditing), as I know from my education, is knowing who accesses what information when (and perhaps from where). Your system has security lapses of a type that prevent a reliable “mapping” of accesses back to the who I describe (assuming your system is secure otherwise).

I hope that you find time to discuss this issue with your information security team, and at least let me know that you received this letter and are working on resolving the issue.

Sincerely yours,

Jeffrey Maki

I know this might not be anything new, but I recently noticed a trend in some of my collected photos of things energy-related: the branding of various legacy energy sources as “eco”. So far, I’ve seen gasoline, coal and ethanol branded as “eco-friendly”. No doubt you’ve seen the TV ads from BP, Chevron or Shell extolling their new “clean energy” initiatives; but have you seen the latest railcars or billboards?

Despite increasingly prolific evidence to the contrary, big energy companies seem to think that if they keep saying it enough, it will become true. “Coal: clean green energy.” Granted, West Virginia (and parts of Pennsylvania) *is* coal country, so nobody around here wants to see “old coal” go away. This was confirmed during my work in MacDowell County, WV. During interviews with the economic development agency and other locals, the loss of coal operations was spoken about as a huge blow to the state; losing the little bit that’s left would be seen as even worse. It’s been hard for people to find new jobs after working for coal companies all their lives. How is coal supposed to stay relevant in today’s eco-fetish society? (Besides China being a huge new consumer of coal–maybe not from West Virginia, but still…) Personally, I think coal is a struggling, but likely soon to die enterprise.

In my opinion, there’s clear winners in the alternative energy fest, and clear losers. Losers? Big coal. American auto companies (with crappy, unpopular hybrid offerings). Big winners? Asian automakers (think Prius. Think profit.). And ethanol. Ethanol’s all the buzz, and who’s on the “receiving end” of this huge revenue stream? Check out ADM’s stock performance. Not bad. Can’t beat those government subsidies, and fickle environmental trends both going your way–nothing’s better for the stock price!

Today, while waiting in bed to get up, I heard some screaming outside the window. Something like, “Can you move over? There’s plenty of room over here…” Getting up to check it out, I noticed a blue Honda mini-van behind the recycling truck going down my street. The recycling truck was picking up the blue bags on each side, as usual. She was asking the recycle truck to move so she could get by.

The recycle guy responded with something like “it’s not my fault, people aren’t supposed to park on both sides of the street”. She waited there for awhile, and I just went back to bed.

About five minutes later, I hear this constant horn sound–roughly two minutes’ worth. I got back up, and saw her hanging out the window, this time yelling, “I gotta catch a plane!” in-between her honks. The recycle guys didn’t respond, and kept throwing bags into the back of the truck. A minute or two went by, and finally she yelled, “Fuck you!” and did an eight-point turn-around, going back down the street the way she came. Others waited patiently behind her.

What’s so interesting about this? Well, besides just being plain rude, there was clearly a “me first” attitude here (no surprise there). A rational person would have turned down the alley roughly 10 feet away, and gone around the block to get past the blockage. Secondly, there was a lack of respect for the fact that the recycle guys have a job to do–they can’t pull over next to everybody’s house to pick up bags; it’d just take too long. They have hundreds of homes to stop at.

Maybe an isolated incident, but still an interesting glimpse into what is perhaps a daily occurrence for the public servants of Pittsburgh who are forced to deal with narrow streets.

Last week, Alex and I went to the Alternative Transportation Festival at the Southside Works. We saw representatives from GASP, BikePGH and the Port Authority of Allegheny County (PAT). PAT was there to highlight their new Hybrid Gillig Busses, and they sent the director of the West Mifflin garage, Dennis Parish, to share the story. Alex and I spoke to Dennis for quite awhile at the festival and he, probably sensing our interest, invited us back to the garage for a tour! We, of course, took him up on the offer.

We found Dennis’ office after entering a side door (we didn’t know where to go in!), and Dennis was really gracious to drop his work, grab a two-way radio, and walk with us around the facility. We saw the scheduling area, the “pick” (bid) board, the break room, the dispatch desk, the holding area for busses, the bus wash, the maintenance facilities (paint shop, body shop, engine shop, A/C shop) and the parking lot outside.

He highlighted some of PAT’s environmental initiatives, including recycling bus wash water, using rainwater (in part) for the bus wash, and recycling oil and other engine fluids. They also, more expectedly, save money and “recycle” by retreading tires, re-milling brake drums (a maximum of 8 times), and rebuilding many of the bus’ engine components (most of this work is done at the PAT facility in Manchester, however). Dennis runs a tight ship, and everything is rather neat inside the building, though dirty with grease and oil.

Dennis has a great relationship with his employees–they all wave to him, and him to them. He said his policy was to pretty much leave people alone to do their work. That implies a lot of confidence and respect for him by his employees, and vice-versa.

Believe it or not, the bus garage is pretty empty during the day–many of his workers come in at night to clean the busses, he said. Maintenance is done during the day, but the facility is in operation almost 24 hours a day. Some operators, he said, even end up sleeping at the garage! Dennis said his scheduling rule of thumb was “to have my people here when the busses are here–no sense in paying them to sit around waiting for a bus”. Can’t argue with that.

Alex and I were both amazed at the level of autonomy Dennis reported–he has his own budget, orders his own supplies/parts, and is responsible for having enough busses to cover his routes. If they are short, he “asks the foreman to fix more busses”. No borrowing from other garages!

We couldn’t take pictures without the approval of media relations, which we didn’t seek (yet), so no pictures to share on this one, and it’s hard to remember all the things we saw and spoke about–Dennis was really kind in sharing his time and extensive knowledge with us, and we both appreciate his generosity. For a governmental organization, PAT is really great–they seem really community-focused, responsive and they appear to be making a genuine effort to serve their constituents. Next time you complain about the fair increases, remember this: it really costs PAT ~$13 dollars for your $2.25 ride!

It was a long day yesterday–Alex and I, after going to the safety parade, went to the Delmont Apple and Arts Festival in Delmont, PA. There was cider(!), a tractor pull, apples for sale, crafts and an antique farm equipment show.

One of the most disturbing things we saw at the show was the proliferation of manufactured crafts. Almost all of them had UPC tags that said “Made in China”. Even crafts without the tags were assembled from manufactured pieces. The closest we came to handmade were some wood crafts made on a laser cutter. Not exactly a craft per-se, if you just load the software and watch a machine cut.

The whole thing was a fun time, but it left us wondering: “Doesn’t anybody make anything by hand anymore?”